There was a mass withdrawal event on Oct 2, almost all recent vulnerabilities in GIT are incorrectly withdrawn

[timothee-chauvin]

On Oct 2 (two days after the blog post on data quality, which might be related), many vulnerabilities in the GIT ecosystem became incorrectly marked as withdrawn. I count 1,736 vulnerabilities that were marked as withdrawn on 2024-10-02, and only 19 vulnerabilities out of 1,612 since 2024-03-01 are not marked as withdrawn.

Steps to reproduce:

$ cd /tmp
$ wget https://osv-vulnerabilities.storage.googleapis.com/GIT/all.zip
$ unzip all.zip -d GIT
$ cd GIT
$ grep -r '"withdrawn": "2024-10-02' | wc -l
1736
$ # By the way, there was another mass withdrawal event on 2024-05-15, but I haven't looked into it:
$ grep -r '"withdrawn": "2024-05-15' | wc -l
1818

A random example of a vulnerability marked as withdrawn in OSV but not in e.g. cvelistV5: CVE-2024-46978.

$ grep "withdrawn" CVE-2024-46978.json
  "withdrawn": "2024-10-02T01:21:06.482138Z",

The corresponding file on cvelistV5 hasn't been updated since September 20 and isn't marked as withdrawn.

This might be an issue with an upstream provider of data, but I don't know which one it is for GIT, so I'm reporting here.

The only 19 vulnerabilities since March 1st which aren't marked as withdrawn are: ['CURL-CVE-2024-7264', 'CURL-CVE-2024-2466', 'PSF-2024-10', 'CURL-CVE-2024-2379', 'PSF-2024-9', 'PSF-2024-11', 'PSF-2024-8', 'CURL-CVE-2024-8096', 'CURL-CVE-2024-6197', 'PSF-2024-4', 'PSF-2024-2', 'PSF-2024-7', 'CURL-CVE-2024-6874', 'CURL-CVE-2024-2004', 'CURL-CVE-2024-2398', 'PSF-2024-1', 'PSF-2024-3', 'PSF-2024-6', 'PSF-2024-5'] (no mention of CVE-*)

Personally, I won't be able to update the eyeballvul benchmark until this is fixed, since almost all recent vulnerabilities are now marked as withdrawn.

Do you know where this could be coming from?

[michaelkedar]

Sorry for the delay - we've just come back from a long weekend.

The problem seems to coincide with last week's deployment, so I'm going to revert that while we look into it further.

[michaelkedar]

To give an update:
This seems to have been caused by a bug on our end, not the upstream data source (NVD).

Rolling back the release has un-withdrawn many of these vulnerabilities. It might take a little bit more time for it to fully propagate through to the bucket - I'll take another look tomorrow.

I've pushed a fix for the bug, which should hopefully prevent this happening in the future. That should be deployed sometime this week.

Thanks for your detailed report! Let us know if there's still a problem.

[hogo6002]

We have fixed this issue:

/tmp/GIT$ grep -r '"withdrawn": "2024-10-02' | wc -l
$ 7